XML Signature (also called XMLDSig, XML-DSig, XML-Sig) defines an XML syntax for digital signatures and is defined in the W3C recommendation XML Signature Syntax and Processing. Functionally, it has much in common with PKCS#7 but is more extensible and geared towards signing XML documents. It is used by various Web technologies such as SOAP, SAML, and others.

XML signatures can be used to sign data–a resource–of any type, typically XML documents, but anything that is accessible via a URL can be signed. An XML signature used to sign a resource outside its containing XML document is called a detached signature; if it is used to sign some part of its containing document, it is called an enveloped signature; if it contains the signed data within itself it is called an enveloping signature.

1 Configure XML-DSig

You can configure a few parameters before signing a document.

1.1 Select Digest method

You can select any of the available methods (default is SHA256):

  • SHA1
  • SHA224
  • SHA256
  • SHA384
  • SHA512
  • RIPEMD160
  • SHA3_224
  • SHA3_256
  • SHA3_384
  • SHA3_512

Copy
<script>
    var dbf = new Ax.xml.DocumentBuilderFactory();
    dbf.setNamespaceAware(true);
   
    var xml = dbf.parse("<rootxmldoc><tag1 /></rootxmldoc>");
    
    var dst = new Ax.crypt.XMLDSig(xml);
    console.log(dst.getDigestMethod());
    dst.setDigestMethod("SHA512");
</script>

1.2 Select Signature method

You can select any of the available methods (default is RSA_SHA256):

  • DSA_SHA1
  • DSA_SHA256
  • ECDSA_SHA1
  • ECDSA_SHA1224
  • ECDSA_SHA256
  • ECDSA_SHA384
  • ECDSA_SHA512
  • HMAC_SHA1
  • HMAC_SHA224
  • HMAC_SHA384
  • HMAC_SHA512
  • RSA_SHA1
  • RSA_SHA224
  • RSA_SHA256
  • RSA_SHA384
  • RSA_SHA512
  • SHA1_RSA_MGF1
  • SHA224_RSA_MGF1
  • SHA224_RSA_MGF1
  • SHA384_RSA_MGF1
  • SHA512_RSA_MGF1

Signature method is usualy based on the type of key. If you use a RSA key, signature method should be a RSA method. If you use a DSA key, signature method should be a DSA method.

Copy
<script>
    var dbf = new Ax.xml.DocumentBuilderFactory();
    dbf.setNamespaceAware(true);
   
    var xml = dbf.parse("<rootxmldoc><tag1 /></rootxmldoc>");
    
    var dst = new Ax.crypt.XMLDSig(xml);
    console.log("Digest Method ...: " + dst.getDigestMethod());
    dst.setDigestMethod("SHA512");
    console.log("Signature Method : " + dst.getSignatureMethod());
    dst.setSignatureMethod("RSA_SHA1");
</script>

1.3 Select Canonicalization method

CanonicalizationMethod (transform) method can selected by using one of the following constants (default is ENVELOPED).

ENVELOPED http://www.w3.org/2000/09/xmldsig#enveloped-signature
INCLUSIVE http://www.w3.org/TR/2001/REC-xml-c14n-20010315
INCLUSIVE_WITH_COMMENTS http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
EXCLUSIVE http://www.w3.org/2001/10/xml-exc-c14n#
EXCLUSIVE_WITH_COMMENTS http://www.w3.org/2001/10/xml-exc-c14n#WithComments
BASE64 http://www.w3.org/2000/09/xmldsig#base64
XPATH http://www.w3.org/TR/1999/REC-xpath-19991116
XPATH2 http://www.w3.org/2002/06/xmldsig-filter2

Copy
<script>
    var dbf = new Ax.xml.DocumentBuilderFactory();
    dbf.setNamespaceAware(true);
   
    var xml = dbf.parse("<rootxmldoc><tag1 /></rootxmldoc>");
    
    var dst = new Ax.crypt.XMLDSig(xml);
    dst.setDigestMethod("SHA512");
    dst.setSignatureMethod("RSA_SHA1");
    dst.setCanonicalizationMethod("ENVELOPED");

    console.log("Digest Method ...: " + dst.getDigestMethod());
    console.log("Signature Method : " + dst.getSignatureMethod());
    console.log("is Enveloped?... : " + dst.isEnveloped());

</script>

1.4 Signature Namespace

This method allows to define the name of namespace for signature tag generated by XMLDsig.

Copy
<script>
    // Load a keystore
    var ks = new Ax.ks.KeyStoreManager("https://bitbucket.org/deister/axional-docs-resources/raw/master/KeyStores/swview/jks-files/jack.jks", "secret");

    var dbf = new Ax.xml.DocumentBuilderFactory();
    dbf.setNamespaceAware(true);
   
    var xml = dbf.parse("<rootxmldoc><tag1 /></rootxmldoc>");
    
    var dst = new Ax.crypt.XMLDSig(xml);
    dst.setDigestMethod("SHA512");
    dst.setSignatureMethod("RSA_SHA1");
    dst.setEnveloped(false);
    dst.setNamespacePrefix("ds");
    
    console.log("Digest Method ...: " + dst.getDigestMethod());
    console.log("Signature Method : " + dst.getSignatureMethod());
    console.log("is Enveloped?... : " + dst.isEnveloped());

    // Sign the document using keystore provate key alias "jack" with password "moon"
    console.log(dst.sign(ks, "jack", "moon"));
</script>

2 Examples

The following example signs an XML document.

Copy
<script>
    // Load a keystore
    var ks = new Ax.ks.KeyStoreManager("https://bitbucket.org/deister/axional-docs-resources/raw/master/KeyStores/swview/jks-files/jack.jks", "secret");
    
    // Load an XML document
    var src = new Ax.xml.XMLDocument(new Ax.net.URL('https://bitbucket.org/deister/axional-docs-resources/raw/master/XML/books.xml'));
    
    // Sign the document using keystore provate key alias "jack" with password "moon"
    var dst = new Ax.crypt.XMLDSig(src).sign(ks, "jack", "moon");
    
    // Show the returned XML document String
    console.log(dst);
</script>
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<catalog>
    <book id="bk101">
        <author>Gambardella, Matthew</author>
        <title>XML Developer's Guide</title>
        <genre>Computer</genre>
        <price>44.95</price>
        <publish_date>2000-10-01</publish_date>
        <description>An in-depth look at creating applications with XML.
        </description>
    </book>
    ...
    <book id="bk112">
        <author>Galos, Mike</author>
        <title>Visual Studio 7: A Comprehensive Guide</title>
        <genre>Computer</genre>
        <price>49.95</price>
        <publish_date>2001-04-16</publish_date>
        <description>Microsoft Visual Studio 7 is explored in depth,
          looking at how Visual Basic, Visual C++, C#, and ASP+ are 
          integrated into a comprehensive development 
          environment.
        </description>
    </book>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
    <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
    <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
    <Reference URI="">
        <Transforms>
            <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <DigestValue>zolcPXUMCIref0InS0KhgpYS6u7J6SgrAEpj//MjClU=</DigestValue>
    </Reference>
</SignedInfo>
<SignatureValue>TtFgg6rNkwBtwshvmocjcFk2hbDYivf20ywWEgEXN7onIAXMP3sk9yHR35IssO8s6rS0BWb7LTf6&#13;
AwM3d3nogv3g18uZUDyjI9qOX6XeDP5/K/rzC1gie0OV9EMBJ7PWoigB1K97I+Ab1nSzLs6kQkja&#13;
VLCGd82FYaEOLTkZ6Es=</SignatureValue>
<KeyInfo>
    <X509Data>
        <X509SubjectName>CN=Jack Daniel,OU=Training,O=Software View,L=Colombo,ST=Western,C=LK</X509SubjectName>
        <X509Certificate>MIIC9jCCAl+gAwIBAgIJAParOnPwEkKlMA0GCSqGSIb3DQEBBQUAMIGKMQswCQYDVQQGEwJMSzEQ&#13;
        MA4GA1UECBMHV2VzdGVybjEQMA4GA1UEBxMHQ29sb21ibzEWMBQGA1UEChMNU29mdHdhcmUgVmll&#13;
        dzERMA8GA1UECxMIVHJhaW5pbmcxLDAqBgNVBAMTI1NvZnR3YXJlIFZpZXcgQ2VydGlmaWNhdGUg&#13;
        QXV0aG9yaXR5MB4XDTEwMDcxMDA2MzMxOFoXDTI0MDMxODA2MzMxOFowcjELMAkGA1UEBhMCTEsx&#13;
        EDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xFjAUBgNVBAoTDVNvZnR3YXJlIFZp&#13;
        ZXcxETAPBgNVBAsTCFRyYWluaW5nMRQwEgYDVQQDEwtKYWNrIERhbmllbDCBnzANBgkqhkiG9w0B&#13;
        AQEFAAOBjQAwgYkCgYEAqAIsXru2kWzNXidrgyapDb7GdmhUwNFx1rOimDyu2RrJN9sIv0Zi2B0K&#13;
        p1xSQiBPWabXbtt3wB1LzS2P19tMC+MW7BTYz0mRg4n9vSoa+mTJ3Ea6/v4W97a701BSEOlTxysV&#13;
        ltqgO+D3gD9uNVpjiCNjXP3FlXrw44aDnXwme3sCAwEAAaN7MHkwCQYDVR0TBAIwADAdBgNVHQ4E&#13;
        FgQUDp+pbeXQHmYiubDctF8b+C4g6V0wHwYDVR0jBBgwFoAU1rdiaEM7sE7BtSqZhTWT9Tqn9RQw&#13;
        LAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMA0GCSqGSIb3DQEB&#13;
        BQUAA4GBACcLqPwC9cATSqe+Kes5r6kcgo8eN3QME+HVSQocFSaRVrZ8iOrl0NAXway2JOGdjIFC&#13;
        n2gU4NAkrDAzjJ1AlwrfCT/1FDL5hu4BTdY13ZpwBf5MU6LB6x2tc+Jbo4bQrskEEIfGpOcyuB/w&#13;
        BJtJQeONjLuY2ouX9pvaaHj2cpzS</X509Certificate>
    </X509Data>
</KeyInfo>
</Signature>
</catalog>